Windows Security Log Event ID 4717

4717: System security access was granted to an account

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event documents the grant of logon rights such as "Access this computer from the network" or "Logon as a service".

Rights, like most other security settings, are defined in group policy objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself. To determine who actually made the rights assignment change you must search the domain controllers' security logs for changes to groupPolicyContainer objects (logged by Directory Service auditing). Logon ID allows you to link this event to the prior event 4624 logon event of the user who performed this action.


This event, 4717, documents the system name for each logon right as opposed to the more familiar description. Click here for a cross reference.

Note: This event and 4718 log changes to strictly logon rights such as "Access this computer from the network" or "Logon as a service" - not to other rights such as "Change the system time" or "Take ownership of files and other objects". See events 4704 and 4705.

Logon Rights 

System name	Description
SeNetworkLogonRight	Access this computer from the network
SeRemoteInteractiveLogonRight	Allow logon through Terminal Services
SeDenyNetworkLogonRight	Deny access to this computer from the network
SeDenyBatchLogonRight	Deny logon as a batch job
SeDenyServiceLogonRight	Deny logon as a service
SeDenyInteractiveLogonRight	Deny logon locally
SeDenyRemoteInteractiveLogonRight	Deny logon through Terminal Services
SeBatchLogonRight	Log on as a batch job
SeServiceLogonRight	Log on as a service
SeInteractiveLogonRight	Log on locally

 

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4717

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Account Modified:

• Account Name: SID of the user/group/computer granted the logon right

Access Granted:

• Access Right: The logon right that was granted - Click here for a cross reference.

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

 

Mini-Seminars Covering Event ID 4717 Building a Security Dashboard for Your Senior Executives 27 Most Important Windows Security Events Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean Top 12 Events to Monitor in the Windows Server Security Log

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy